Review – Public ICS Disclosures – Week of 3-5-22 – Part 3

 Finally, this week we have six more vendor disclosures from Schneider (3) and Siemens (3). Then we have sixteen updates from Schneider (6) and Siemens (10).

Schneider Advisory #1 - Schneider published an advisory describing two vulnerabilities in their EcoStruxure™ Control Expert and EcoStruxure™ Process Expert products.

Schneider Advisory #2 - Schneider published an advisory (NOTE: this is a .ZIP link that downloads two .PDF versions of this advisory, one in Chinese and the other in English) describes three vulnerabilities in their APC Smart-UPS uninterruptable power supply devices.

Schneider Advisory #3 - Schneider published an advisory describing an information exposure vulnerability in their Ritto Wiser™ Door.

Siemens Advisory #1 - Siemens published an advisory discussing an improper restriction of operations within the bounds of a memory buffer vulnerability in their RUGGEDCOM product line.

Siemens Advisory #2 - Siemens published an advisory describing an improper access control vulnerability in their Mendix Studio Pro.

Siemens Advisory #3 - Siemens published an advisory discussing an out-of-bounds write vulnerability in their RUGGEDCOM ROX devices.

Schneider Update #1 - Schneider published an update for their Log4Shell advisory that was originally published on December 13^th, 2021.

Schneider Update #2 - Schneider published an update for their AT&T Labs’ Compressor advisory that was originally published on August 10^th, 2021.

Schneider Update #3 - Schneider published an update for their EcoStruxureTM Control Expert advisory that was originally published on September 14^th, 2021.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-21-259-02).

Schneider Update #4 - Schneider published an update for their PrintNightmare advisory that was originally published on November 9^th, 2021.

Schneider Update #5 – Schneider published an update for their EcoStruxureTM Control Expert advisory that was originally published on July 13^th, 2021.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-21-194-01).

Schneider Update #6 – Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on November 18^th, 2021.

Siemens Update #1 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13^th, 2021 and most recently updated on February 17^th, 2022.

Siemens Update #2 – Siemens published an update for their Insyde Bios advisory that was originally published on February 22^nd, 2022.

Siemens Update #3 – Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on February 8^th, 2022.

Siemens Update #4 – Siemens published an update for their Controllers CPU 1518 MFP advisory that was originally published on May 11^th, 2021.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-21-131-15).

Siemens Update #5 – Siemens published an update for their Amnesia:33 advisory that was originally published on March 9^th, 2021 and most recently updated on February 8^th, 2022.

Siemens Update #6 – Siemens published an update for their general Log4Shell advisory that was originally published on December 13^th, 2021 and most recently updated on February 8^th, 2022.

Siemens Update #7 – Siemens published an update for their Industrial PCs advisory that was originally published on May 11^th, 2021 and most recently updated on August 10^th, 2021.

Siemens Update #8 – Siemens published an update for their RUGGEDCOM advisory that was originally published on March 8^th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-069-12)

Siemens Update #9 – Siemens published an update for their their SegmentSmack advisory that was originally published on April 14^th, 2020 and most recently updated on February 8^th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-20-105-08) for this information.

Siemens Update #10 – Siemens published an update for their RUGGEDCOM advisory that was originally published on March 8^th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-069-01) for this information.

 

For more details on these disclosures, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-918 - subscription required.